Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return access_denied error when an OAuth2 request is denied #30974

Merged
merged 10 commits into from
May 20, 2024
Merged

Return access_denied error when an OAuth2 request is denied #30974

merged 10 commits into from
May 20, 2024

Conversation

Zettat123
Copy link
Contributor

@Zettat123 Zettat123 commented May 14, 2024
edited

According to RFC 6749, when the resource owner or authorization server denied an request, an access_denied error should be returned. But currently in this case Gitea does not return any error.

For example, if the user clicks "Cancel" here, an access_denied error should be returned.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label May 14, 2024
@pull-request-size pull-request-size bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label May 14, 2024
@github-actions github-actions bot added modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files labels May 14, 2024
wxiaoguang
wxiaoguang approved these changes May 15, 2024
View reviewed changes
Copy link
Contributor

@wxiaoguang wxiaoguang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM.

I guess the tests would fail because the id is used by htmlDoc.AssertElement(t, "#authorize-app", true), it can't be removed.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 15, 2024
@wxiaoguang wxiaoguang added the backport/v1.22 This PR should be backported to Gitea 1.22 label May 15, 2024
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 20, 2024
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label May 20, 2024
@lunny lunny enabled auto-merge (squash) May 20, 2024 07:02
@lunny lunny merged commit f1d9f18 into go-gitea:main May 20, 2024
26 checks passed
@GiteaBot GiteaBot added this to the 1.23.0 milestone May 20, 2024
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request May 20, 2024
@Zettat123 @GiteaBot
Return access_denied error when an OAuth2 request is denied (go-git…
e7cbf2b 
…ea#30974)

According to [RFC
6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1),
when the resource owner or authorization server denied an request, an
`access_denied` error should be returned. But currently in this case
Gitea does not return any error.

For example, if the user clicks "Cancel" here, an `access_denied` error
should be returned.

<img width="360px"
src="https://github.com/go-gitea/gitea/assets/15528715/be31c09b-4c0a-4701-b7a4-f54b8fe3a6c5"
/>
@GiteaBot GiteaBot mentioned this pull request May 20, 2024
Merged
@GiteaBot GiteaBot added backport/done All backports for this PR have been created and removed reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels May 20, 2024
wxiaoguang pushed a commit that referenced this pull request May 20, 2024
@GiteaBot @Zettat123 @KN4CK3R
Return access_denied error when an OAuth2 request is denied (#30974) (
8a259e5 
#31029)

Backport #30974 by Zettat123

Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
zjjhot added a commit to zjjhot/gitea that referenced this pull request May 21, 2024
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
d07ae65 
* giteaofficial/main:
  Don't include link of deleted branch when listing branches (go-gitea#31028)
  [skip ci] Updated translations via Crowdin
  Refactor sha1 and time-limited code (go-gitea#31023)
  Return `access_denied` error when an OAuth2 request is denied (go-gitea#30974)
  Avoid 500 panic error when uploading invalid maven package file (go-gitea#31014)
  Fix incorrect "blob excerpt" link when comparing files (go-gitea#31013)
  Fix project column title overflow (go-gitea#31011)
  Fix data-race during testing (go-gitea#30999)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunny lunny lunny approved these changes

@wxiaoguang wxiaoguang wxiaoguang approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created backport/v1.22 This PR should be backported to Gitea 1.22 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files size/S Denotes a PR that changes 10-29 lines, ignoring generated files. type/bug
Projects
None yet
Milestone
1.23.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Zettat123 @lunny @wxiaoguang @GiteaBot